Apache Releases Security Update for HTTP Server
The Apache Software Foundation has released Apache HTTP Server 2.4.52.
CVE-2021-44790 (CVSS score: 9.8- CRITICAL) -A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts).
The Apache httpd team is not aware of an exploit for the vulnerability though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier.
CVE-2021-44224 (CVSS score: 8.2- HIGH) – A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or,
for configurations mixing forward and reverse proxy declarations, can allow for requests to be directed to a declared Unix Domain Socket endpoint (Server Side Request Forgery).
This issue affects Apache HTTP Server 2.4.7 up to 2.4.51 (included).
Apache HTTP Server 2.4.52 version addresses vulnerabilities CVE-2021-44790 and CVE-2021-44224 one of which may allow a remote attacker to take control of an affected system.
Updates are available. Please see the references or vendor advisory for more information.
Published: 23 December 2021, 13:41:18 BST
02 Nov 2022 - Security Advisories & Alerts
20 Oct 2022 - Security Advisories & Alerts